Researchers at FireEye have confirmed the Dutch police’s success in crippling the Bredolab botnet. However, while examining their Malware Intelligence Network, MAX, FireEye discovered one C&C server has remained active. Does this mean that Bredolab can make a return?

FireEye’s Atif Mushtaq, who did the research on the Bredolab shutdown, confirmed that all of the known C&Cs used by Bredolab’s operators were offline. The praise that is being handed to the Dutch National Crime Squad (THTC) for their efforts in killing this botnet is well deserved. It was a massive effort that took several agencies to accomplish.

“The sole purpose of Bredolab was to spread itself as aggressively as possible and offer pay per install services (normally a few cents per installation) to other cyber criminals who might not be very good at spreading their own malware,” Mushtaq wrote in the FireEye blog.

Pegged at 30 million strong, the Bredolab botnet was reported to have pushed nearly 3.6 billion malicious emails. Often, the payloads delivered by email attachment or malicious links on social networks were Trojans. Sometimes they were Rogue anti-Virus applications, but the type of Malware would depend on the whim of the criminal controlling that segment of the overall botnet.

Mushtaq discovered that while 143 C&C servers were indeed taken offline, a single C&C in Russia (proobizz.cc) has remained. This C&C, and the bots communicating with it, are carrying out the last command issued to them faithfully. The command instructed them to download various types of Malware, including TDSS.

Known as Alureon to some, or TDL3, the TDSS family of rootkits has caused enormous amounts of damage to home and business users. Earlier this year, TDSS triggered Blue Screens of Death when MS10-015 was installed. What happened was that MS10-015 updated several kernel API’s, and as a result TDL3 started calling invalid RVAs (relative virtual addresses), thus triggering the BSoD issues.

TDL3 registers itself first as print processor, printer subsystem spoolsv.exe, which has administrative rights. Virus scanners that monitor the behavior of processes will not be alarmed because the printer subsystem is a trusted part of Microsoft Windows.

“TDL3 has now full system access rights as Print Processor and infects the lower level system driver that is responsible for the communication with the hard drive. When virus scanners want to check this driver, they see the original file so they are unable to recognize the infection,” security vendor SurfRight explained in an advisory earlier this year.

After that, TDL3 places an encrypted file system on top of the standard file system on the last sectors of the hard drive. The encryption ensures that files cannot be read directly from disk, thus avoiding detection by anti-Virus software. The encrypted file system is then used to store other Malware downloaded from the Internet.

What makes this Malware family unique, Mushtaq explains, is that, “TDSS is one of the very few botnets that use SSL for their command and control communication.”

“There is a possibility that this particular CnC domain was simply overlooked during this crackdown and now zombies communicating to this CnC are on auto-pilot. If this is the case then in the absence of the bot herders to control things, there is a good chance that malware connecting to this CnC will continue to obey the last configured command.”

No one is certain if the person arrested shortly after the Bredolab takedown is the one controlling the Russian C&C. There is also no clear answer as to how the C&C remained after the massive sweep. The Dutch police had the help of the host who maintained the other 143 servers, so perhaps the fact that it is located in Russia is the only reason it wasn’t taken offline as well.

So then, given that the Russian C&C is online, was the takedown unsuccessful? In his blog post, Mushtaq reminded those who may have forgotten, that the Pushdo.D botnet rose from the ashes after a massive hit as well. This takedown is different.

“In the case of Pushdo.D, there was a long list of CnC servers out of which some were never taken down. This made it possible for the bot herders behind it to recover after few weeks. Bredolab doesn't maintain a long list of backup CnC servers. Instead different malware builds come with a small and distinct set of CnC domains. So I have no doubt that a big portion of this botnet has been dismantled and is never going to recover,” he explained.

For now, it’s a wait and see scenario. Unless someone uses the C&C to issue new commands, the Bredolab botnet is as good as dead. Mushtaq said that he plans to keep tabs on the status of the remaining C&C. You can follow his progress on the FireEye blog.

Update:

Symantec is confirming some of the data FireEye has discovered. According to a spokesperson, MessageLabs Intelligence is still seeing different Bredolab runs from yesterday morning.

The first run started at 09:21AM and ended at around 11:50AM. The second run started at 10:30AM and stopped at 10:50AM. The third run started at 2:30PM and stopped at 3:30PM.

[Symantec did not list the time zone, but we're thinking UTC. -ED]

More than 750 Bredolab emails, with nearly 400 among them targeting Spanish e-mail users have been observed. All contained a similar subject referring to "DHL International." Like the other Bredolab-based malicious email attachments, it uses fake icons (Fake MS Excel icon in our example) to deceive the user.

If accessed, the attachments will connect to a C&C in Russia. The payload delivered is Rogue anti-Virus.

Update 2:

There is more information coming. Right now, there are two confirmed Bredolab C&C's. The first one, proobizz.cc, last issued commands at 6:40 a.m. this morning. This is the active server that FireEye reported on.

The second C&C, discovered by Symantec, has also been monitored by FireEye Researchers. The domain, LodFewPleaser.com (109.196.143.133) is hosted in the same Colo as the original C&C. So now there are two Bredolab C&C servers active in Russia.

As an interesting side note, the second C&C is using dynamic DNS out of China (dns.com.cn)

FireEye has discovered a third C&C, in Kazakhstan, which is pushing Rogue anti-Virus software to infected systems. More information is here. At the time of the discovery, the Malware being pushed by upload-good.net was only detected by a single anti-Virus vendor. (AntiVir).

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

An awesome picture has started doing the rounds showing a
bathroom with sinks made out of car tires and faucets created from
gas pumps. Itâ€™s the ideal bathroom for any discerning car nut. That
got us thinking â€” what other stuff is there made out of car
parts and car paraphernalia. Here are some of the coolest [â€¦]

Land Rover has officially confirmed that the Range Rover
Evoque Convertible will go on sale in 2016. The company released
some publicity photos showing a prototype of the Evoque Convertible
driving through train tunnels under construction in London. The
company says use of the Crossrail tunnels let them test the
convertible in privacy. A Land [â€¦]

The company says the standard Mercedes-AMG GT already provides
the ideal base for the race model, with low centre of gravity, good
weight distribution and wide track width.The driver sits on a
carbon-fibre seat pan and is protected by a roll-over cage made
from high-tensile steel.The engine cover, doors, front wing,
sidewalls, side skirts, diffuser, [â€¦]

Lamborghini Aventador wallpaper for your desktop or mobile
device. The Aventador LP 700â€“4 has a 6.5 liter V12 that will
go 0â€“60 mph in 2.9 seconds and take you all the way to 220mph
and maybe beyond.Each image links to a page with multiple sizes of
wallpaper you can download.

Well this one has been trending all over the web, just what
color is this dress? It all started in Scotland when the
mother of a bride-to-be sent a picture to her daughter asking what
she thought of the dress. The bride and groom each saw the image
differently, this then got posted online and picked up by some
viral sites. The lighting in the photo is probably causing
different people to see it as either white and gold or blue and
black. Prof Stephen Westland, chair of color science and
technology at a university in the UK told the BBC that it was
impossible to see what other people see but that it [â€¦]

McLarenâ€™s 675LT will debut at this yearâ€™s Geneva show and
promises some eye-popping performance. The coupe only 675LT has a
3.8 liter V8 that will get you from 0-60mph in less than 2.9
seconds and to 124mph in less than 7.9 secondsMore than a
third of the parts have been changed compared with its stable mate
[â€¦]

Some cool McLaren 675LT Wallpaper. The McLaren 675LT
is the latest coupe to come from the supercar maker and has a top
speed of 205mph.Click on an image to open a page with multiple
sizes that you can download to use as wallpaper for your mobile or
desktop.More McLaren Wallpaper.

This crab is minding its own business searching the rock pools
for food when suddenly an octopus leaps out of the water and grabs
it. The amazing thing is that the octopus does not just jump on the
crab it actually pulls it all the way back to the rock pool it came
from. If you check the second video you will see it is not unknown
for octopus to come out of the water and the one in the second
video has a crab with it, though is not hunting one! Octopus Walks
on Land at Fitzgerald Marine Reserve The video was taken by Porsche
Indrisie in Yallingup, Western [â€¦]